Yeah after reading all the reviews I found that FreeBSD, OpenBSD, and
Slackware were among the most secure & least hacked.
----- Original Message -----
From: "Brian" <[EMAIL PROTECTED]>
To: "Allen May" <[EMAIL PROTECTED]>
Cc: "Sean Young" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, March 26, 2001 3:08 PM
Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX
525
> If you at all consider the computer based firewall solution, openbsd is
> worth at least a look.
>
> Bri
>
> On Mon, 26 Mar 2001, Allen May wrote:
>
> > Is the outside interface still open to SSH connections? If so & it's
> > compromised, Linux is a full blown operating system that, when
compromised,
> > can have ANY program designed for Linux installed. Can you imagine
> > something like a packet analyzer grabbing all your passwords and sending
> > them out over the net to someone else? Ewww. That's my #1 reason for
going
> > with something like a PIX. Just make sure you're IDS is set to notify
even
> > in the event of a SUCCESSFUL connection. I've seen people who set it up
for
> > unsuccessful attempts only.
> >
> > I hope that guy wasn't fired BECAUSE he recommended the Cisco solution.
> > That's totally a matter of point of view on that decision & his wasn't
> > wrong..neither was the Linux choice. Some situations call for one while
> > others call for the other.
> >
> > Oh and keep a copy of the correctly configured drive with all settings
on
> > hand. A hard drive is much more prone to failure than RAM/ROM just due
to
> > the moving parts involved.
> >
> > Allen
> > ----- Original Message -----
> > From: "Sean Young" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
> > <[EMAIL PROTECTED]>
> > Sent: Sunday, March 25, 2001 3:05 PM
> > Subject: Re: Performance Comparision between Linux OS Firewall and Cisco
PIX
> > 525
> >
> >
> > > Ken,
> > > Thank you very much for the advice. This past Friday, my company has
> > > decided to use Linux as our company Firewall. Furthermore, we've
decided
> > > that this Firewall will be running kernel 2.4.2 with only two services
> > > running on it, SSH and netfilter (aka iptables). I've tested kernel
> > > 2.4.2 in the lab and notice it performs better than kernel 2.2.x.
I've
> > also
> > > performed various intrusion detection tests on the box using
> > > Cisco NetSonar, Cybercop, ISS, Axent Netrecon but is unable to break
> > > it. The linux box is rock-solid. I am also running portsentry (IDS)
> > > on the Firewall itself.
> > >
> > > Also, we decide to running our squid proxy server on another linux box
> > > to provide transparent caching for our internal users. As far as VPN
is
> > > concerns, we are going to implement FreeS/WAN on another box. I think
> > > in the long run, it is going to save the company a lot of money. We
> > > end up not buying the PIX and web-caching engine from Cisco. Oh, the
> > > networking guy in our group who recommends Cisco PIX and Cisco web-
> > > caching engine as a solution, he has been fired. Go figure.
> > >
> > > Regards,
> > > Sean
> > > P.S. Priscilla, why not implementing TRANSPARENT caching by using
squid
> > > to speed up internet connection for your users? Squid is free and
very
> > > secure and easy to use.
> > >
> > > >From: [EMAIL PROTECTED]
> > > >Reply-To: [EMAIL PROTECTED]
> > > >To: [EMAIL PROTECTED], "Stuart Brockwell"
<[EMAIL PROTECTED]>
> > > >Subject: Re: Performance Comparision between Linux OS Firewall and
Cisco
> > > >PIX 525
> > > >Date: Sat, 24 Mar 2001 20:02:26 -0800
> > > >
> > > >Sean,
> > > >
> > > >Comments imbedded:
> > > >
> > > >On 23 Mar 2001, at 16:12, Stuart Brockwell wrote:
> > > >
> > > > > Hi Sean,
> > > > > I am a Linux head my self, and one of our firewalls is in
fact
> > > > > running
> > > > > on a Linux box. The only problem with this type of firewall is
that
> > > > > you inherit all of the known bugs that the software has. Given
that
> > > > > the source code to Linux is widely available, you have a lot of
very
> > > > > talented people out there who know these holes and are able to
exploit
> > > > > them very easily.
> > > >
> > > >It also means that there are a lot of talented people who are looking
> > > >at the code to make sure that any holes are patched. In fact, when
> > > >new exploits are found, Linux is usually the fastest platform to have
> > > >a patch available. Compare this to having to wait weeks for vendor
> > > >patches or having to prove to a vendor that a problem exists.
> > > >
> > > >Also, a service can only be exploited if it is running. A properly
> > > >configured firewall doesn't run unecessary services, this makes it
> > > >very difficult to exploit. Essentially, it would come down to trying
to
> > > >DoS it or running a password guessing program against it to get
> > > >remote access.
> > > >
> > > >
> > > > If you
> > > > > maintain your own Linux firewall, you will need to continuously
look
> > > > > for the latest bug fixes to install on your Linux box to address
the
> > > > > latest round of holes that have been released.
> > > >
> > > >If the Linux firewall is properly setup, the only services running on
it
> > > >are ipchains and SSH. This means that you have to be aware of 2
> > > >services. While there could always be a local exploit, if only
> > > >trusted admins have access, the trouble with keeping up patches
> > > >is minimal. It is certainly no more trouble than keeping up with
> > > >bugs on a vendor platform.
> > > >
> > > > >
> > > > > Cisco and companies such as Watch Guard closely guard their source
> > > > > code, often you can elect to take on a maintenance contract with
the
> > > > > firewall where you recieve all the latest fixes for a 12 month
period
> > > > > (this is what we did). As this is their bread and butter, they
spend
> > > > > a lot of time looking for holes and fixes to known bugs.
> > > > >
> > > >
> > > >While true, this doesn't mean that their code will have fewer bugs
> > > >or that the bugs will be patched quicker. There is a very large
> > > >support community for Linux that is very technical. Most bugs are
> > > >patched in a matter of days, sometimes hours.
> > > >
> > > >
> > > > > the main plus for each of
> > > > > the commercial packages is that there is large support base, where
as
> > > > > skilled Linux admin staff who can lock down a firewall are very
few
> > > > > and far between.
> > > >
> > > >This is simply not true. There is a very large community of Linux
> > > >developers and admins, and most of them are very knowledgable.
> > > >There are good mailing lists and _plenty_ of good Linux
> > > >security/firewall books, articles, web sites, etc. available.
> > > >
> > > >Locking down a Linux box is not rocket science. That is FUD that
> > > >is propagated by vendors who want to sell product. It's not hard to
> > > >configure a Linux box to be secure, the difficulty comes in running
> > > >lots of services and providing access to users. If you have a box
> > > >that runs web, ftp, smtp, nfs, etc., then it becomes much harder to
> > > >secure, but none of these services should be running on a firewall.
> > > >
> > > >The bottom line is that there are several good commercial firewalls,
> > > >but that doesn't mean that a Linux box cannot serve as a good, low-
> > > >end alternative. Especially if cost is one of the main decision
> > > >factors.
> > > >
> > > >-Kent
> > > >
> > > >
> > > >
> > > >
> > > >_________________________________
> > > >FAQ, list archives, and subscription info:
> > > >http://www.groupstudy.com/list/cisco.html
> > > >Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
> > >
> > > _________________________________________________________________
> > > Get your FREE download of MSN Explorer at http://explorer.msn.com
> > >
> > > _________________________________
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > >
> >
> > _________________________________
> > FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
